New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initialize the AuditEvent with the AuditContext #113611
Conversation
/triage accepted |
} | ||
|
||
// AuditIDFrom returns the value of the audit ID from the request context. | ||
func AuditIDFrom(ctx context.Context) (types.UID, bool) { | ||
if ac := AuditContextFrom(ctx); ac != nil { | ||
return ac.auditID, ac.auditID != "" | ||
return ac.Event.AuditID, true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: Is it always initialized with an ID, so that we don't need to check for empty string as it initialized by WithAuditInit
. Isn't it making it easier to make a mistake if the audit pkg is used outside of k8s.io/apiserver
? I could imagine that it takes some debugging to figure out that it can be true on an empty string.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the audit ID is always initialized at the same time as the audit context: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit_init.go#L41-L50
But you bring up a good point. Looking at everywhere this is used, I think the bool return value is really meant to indicate whether auditing is enabled. This method isn't used in very many places, so I think we should probably just inline it with an explicit auditContext.Enabled()
check instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, since the eventual goal is to make the AuditContext.Event
non-exported, I think it makes sense to keep this function as-is for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to the updated description, ac.Enabled()
should be returned instead, in case the policy level is "None".
I am not sure whether that would still align with the original purpose of the bool.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this comment still open?
RequestURI: req.URL.RequestURI(), | ||
UserAgent: maybeTruncateUserAgent(req), | ||
Level: level, | ||
func LogRequestMetadata(ctx context.Context, req *http.Request, requestReceivedTimestamp time.Time, level auditinternal.Level, attribs authorizer.Attributes) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We use the audit package for or openshift/oauth-server and the removal of NewEventFromRequest
would break our tests. So I rewrote them against your PR and the usage of the audit package is now really nice. All the changes around the removal of *[]annotations
are amazing! 🎉
lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this LGTM, I have a few minor comments, thanks!
key, value string | ||
// Enabled checks whether auditing is enabled for this audit context. | ||
func (ac *AuditContext) Enabled() bool { | ||
return ac != nil && ac.Event.Level != auditinternal.LevelNone |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the initial default should return false
, right?
func TestEnabled(t *testing.T) {
ac := &AuditContext{}
if ac.Enabled() {
t.Errorf("expected the default to return false")
}
}
maybe add len(ac.Event.Level) > 0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, this is intentional. If annotations (or any other request metadata) are recorded before the policy is evaluated, we want to store them. Once the policy is evaluated to None
we can stop doing the work in that case. I'll add a comment & test to this affect.
@@ -167,8 +131,8 @@ func WithAuditContext(parent context.Context) context.Context { | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's safer for the the initial context to return a LevelNone
for the Level
field
func WithAuditContext(parent context.Context) context.Context {
if AuditContextFrom(parent) != nil {
return parent // Avoid double registering.
}
ac := &AuditContext{
Event: {
Level: LevelNone
}
}
return genericapirequest.WithValue(parent, auditKey, ac)
}
kubernetes/staging/src/k8s.io/apiserver/pkg/audit/context.go
Lines 159 to 166 in 17bf864
// WithAuditContext returns a new context that stores the AuditContext. | |
func WithAuditContext(parent context.Context) context.Context { | |
if AuditContextFrom(parent) != nil { | |
return parent // Avoid double registering. | |
} | |
return genericapirequest.WithValue(parent, auditKey, &AuditContext{}) | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See above comment about capturing data before the policy is evaluated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, with the above approach, we are good here.
@@ -283,11 +283,6 @@ func TestAuthenticationAuditAnnotationsDefaultChain(t *testing.T) { | |||
// confirm that we can set an audit annotation in a handler before WithAudit | |||
audit.AddAuditAnnotation(req.Context(), "pandas", "are awesome") | |||
|
|||
// confirm that trying to use the audit event directly would never work |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe we should confirm here that the level is set to LevelNone
, assert that ac.Enabled() == false
, in keeping with the current test assertion?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(See above comments)
@@ -188,19 +152,16 @@ func WithAuditID(ctx context.Context, auditID types.UID) { | |||
return | |||
} | |||
ac := AuditContextFrom(ctx) | |||
if ac == nil { | |||
if !ac.Enabled() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think storing the auditID
in the request context is orthogonal to audit logging. A cluster operator can disable audit logging, but we would still want to store the auditID in the request context. The auditID is also propagated to the aggregated APIServer(s).
We have some logs that emit the auditID, for example:
klog.ErrorS(nil, "apiserver panic'd", "method", req.Method, "URI", req.RequestURI, "audit-ID", audit.GetAuditIDTruncated(req.Context())) |
I think we would want to keep the log correlation ^, even though audit logging is disabled, thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that makes sense. You might also be interested in this issue, which has come up a couple of times in sig-apimachinery: #101597
@@ -81,8 +75,7 @@ func AddAuditAnnotation(ctx context.Context, key, value string) { | |||
// keysAndValues are the key-value pairs to add, and must have an even number of items. | |||
func AddAuditAnnotations(ctx context.Context, keysAndValues ...string) { | |||
ac := AuditContextFrom(ctx) | |||
if ac == nil { | |||
// auditing is not enabled | |||
if !ac.Enabled() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as the above comment
/lgtm Thanks! |
/assign @lavalamp |
/assign @liggitt |
/unassign |
/milestone v1.28 Punting this to the next release. Hopefully we can get it merged early in the cycle. |
Hey! v1.28 Bug Triage Lead here. I am reaching out to know if this PR is on track for the 1.28 release and if we could set a priority? Thanks in advance! |
/approve Please unhold when https://github.com/kubernetes/kubernetes/pull/113611/files#r1173750961 is clarified. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sttts, tallclair The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@tallclair hey! Can we please label this with priority? Also, just a reminder that the code freeze is starting 01:00 UTC Wednesday 19th July 2023 / 18:00 PDT Tuesday 18th July 2023 (about 3 weeks from now) and while there is still plenty of time, we want to ensure that each PR has a chance to be merged on time. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm cancel
https://github.com/kubernetes/kubernetes/pull/113611/files#r1231007227 has not been addressed yet
@@ -65,8 +62,7 @@ type annotation struct { | |||
// prefer AddAuditAnnotation over LogAnnotation to avoid dropping annotations. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This godoc mentions functions that no longer exist, please fix that. Perhaps the changes from #117406 might be applicable here?
/lgtm |
LGTM label has been added. Git tree hash: 0c3c22de7f9e5557e679b50aeb4888c2409d9e81
|
Thanks for getting this merged. I'm on leave right now, but I'll make sure to pick this back up in the next release cycle. |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
Always initialize the audit event at the beginning of the request chain, and store audit data directly on the event.
Which issue(s) this PR fixes:
For #109087
Does this PR introduce a user-facing change?
/sig auth api-machinery
/milestone v1.26